LDAP Configuration Notes for Using AD (Active Directory) Authentication

Mindwatering Incorporated

Author: Tripp Black

Created: 05/06/2009 at 06:02 PM

 

Category:
Domino Upgrades / Installations
Software (Re)Configuration

STEPS:

Notes.ini
ServerTasks line: Add LDAP to list of services (separated by commas)

Server Document:
- Basics Tab:
-- Directory Assistance Database: da.nsf

- Security Tab:
-- More Names Variations with Less Security OR Less Name Variations with More Security

- Ports Tab --> Internet Ports Tab --> LDAP Tab:
-- If Domino is a LDAP source, verify appropriate port(s) are open.

Schema.nsf
- Verify schema.nsf exists. If not on this server, should exist on the Admin server for the Notes domain. Create a replica on "this" server.

Directory Assistance (DA) Database
- if doesn't exist, create from from template (da.ntf) and name da.nsf.
- setup database ACL
- create DA document.


DA Document:

- Basics Tab
-- Type: LDAP
-- Domain Name: MWAD (anything unique)
-- Search Order: 1 (1st priority in Directory Assistance)
-- Make available to: Notes Client & Internet Users
-- Group Authorization: Yes
-- Nest Group Expansion: Yes (this will slow things down some)
-- Enabled: Yes

- Naming Contexts (Rules) Tab
-- Update N.C. 1 (first line)
-- Leave OrgUnit fields alone. DC and classObject types cannot be set here for AD.
-- Enabled Yes
-- Trusted for Credentials: Yes

- LDAP Tab
-- Hostname: srv1.ad.mw.local, bckup2.ad.mw.local
-- Optional Auth. Credential: (hopefully not optional)
--- Username: cd=tripp,ou=users,dc=mw,dc=local
--- Password: myPassw9rd
-- Base DN: dc=mw,dc=local (this can be complicated part. use ldapsearch tool and a LDAP browser to help you.)
-- Channel Encryption: SSL (or none, ssl is better if AD is setup to use it)
-- Port: 636 (default SSL port, 389 standard port w/o SSL)
-- Type of search filter: Active Directory
-- (Advanced) Filter: (|(CN=%*)(uid=%*))

Load LDAP:
- load ldap in console. Check for any errors starting.
- Issue restart server in console to restart Domino services to test that LDAP loads automatically.
- Watch for any errors for the directory services or LDAP about the new LDAP secondary directory.

__________________

NOTES:

Only one secondary LDAP directory allowed w/group auth. set to yes.


Database ACL Entries
- Fully qualified Notes names in canonical format
ex: cn=Tripp/ou=Users/dc=mindwatering/dc=local

For shortname authentication:
- 6.5.6 / 7.0.1 - to know sAMAccountName
- Server doc Security Settings, More Name Variations & Less Security to use: sn, givenname, mail attributes)


Authentication Tools:

ldapsearch - in notes clients and domino program directory
- Examples:

ldapsearch -h srv1.ad.mw.local -b "" -s base "(objectclass=*)"
- anonymous connection


ldapsearch -h srv1.ad.mw.local -D "myuser@mw.local" -w 123456 -b "cn=users, \
dc=mw,dc=local" -s sub "(cn=*)" cn mail sn
- authenticated connection specifying filter and base.


Sh XDIR - will show primary and secondary (DA) directories.

Notes.INI Name Resolution Help:
WebAuth_Verbose_Trace=1 - prints look-up in $Users, then prints look-up in LDAP with base and filter.

Login Formats for LDAP
- cn=Tripp Black,ou=Users,dc=mw,dc=local
- uid=123321,ou=Users,dc=mw,dc=local
- 123321 or ad012
-- last entry assumes shortnames allowed

previous page